-1

i have maked a login system and trying to prevent sql injection,hope someone can point out all the thing i done wrong.

code:

<?php
class airlogin{

    public function __construct(){
        $this->login();
    }

    public function login(){

    if(isset($_POST['submit'])){
    if(!empty($_POST['login-name']) && !empty($_POST['login-password'])){
            $con = new PDO ('mysql:host=localhost;dbname=air','root','123456');
            $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
            $loginuser = $_POST['login-name'];
            $loginpassword = $_POST['login-password'];

            $table = 'air_user';

            //select for data base//
            $sql = "SELECT * FROM $table WHERE user_name ='".$loginuser."'";
            $results = $con->prepare($sql);
            $results->execute();

            $results = $results->fetch(PDO::FETCH_ASSOC);

            $backupname = $results['USER_NAME'];
            $backuppassword = $results['USER_PASSWORD'];
            $backupemail = $results['USER_EMAIL'];

            if($backupname == $loginuser && $backuppassword == $loginpassword){
                echo "you have succeful login";
            }else{
                echo "username and password is not correct";
                $redirect = 'nextinjection.php';
                header("Location: $redirect?reg=false");
            }

    }else{
        echo "empty";
        // $redirect = 'nextinjection.php';
  //        header("Location: $redirect?reg=false");
    }
    }

    }
}

$airlogin = new airlogin;

?>

i am trying the login sql injection , which mean at the login page i input test' OR 1=1-- and password 123456 and it return this to fatal message.

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1' in C:\wamp\www\alogin.php on line 22

so do i it mean i prevent the sql injection ?? or i fail to do it ?? it got error message , so anyone can advice me ?? i have read around but still only little understanding on the sql injection.

user3233074
  • 519
  • 4
  • 18

1 Answers1

1

Don't do this

$sql = "SELECT * FROM $table WHERE user_name ='".$loginuser."'";
            $results = $con->prepare($sql);
            $results->execute();

You're using a driver that supports prepared statements so use them.

$sql = "SELECT * FROM $table WHERE user_name = ? and USER_PASSWORD = ?";
            $results = $con->prepare($sql);
            $results->execute(array($loginuser, $loginpassword));

I've also updated this so the SQL checks that the username and password match up so if you get a result from this query login is success.

Here's are other resources on it:

http://en.wikipedia.org/wiki/Prepared_statement http://php.net/manual/en/mysqli.quickstart.prepared-statements.php http://php.net/manual/en/pdo.prepared-statements.php

How can I prevent SQL injection in PHP?

Update:

if ($results->rowCount() > 0) {
     echo "you have succeful login";
}else{
     echo "username and password is not correct";
     $redirect = 'nextinjection.php';
     header("Location: $redirect?reg=false");
}
Community
  • 1
  • 1
chris85
  • 23,846
  • 7
  • 34
  • 51